Azure Governance
Azure Governance is a portfolio of platform capabilities that helps customers address the need for control at scale without sacrificing developer agility. This includes services like Azure Policy, Azure Blueprints, Azure Resource Graph & Management Groups.
More details about the services are available in the Azure Governance documentation. If you have a technical issue, please open a post on the developer forums through Stack Overflow.
Products that we listen to in this space include: Azure Policy, Azure Blueprints, Azure Resource Graph, Azure Subscriptions and Azure Management Groups
-
Ability to query for DNS Zones CNAME type in Azure Resource Graph
I am able to filter out resources by provider (e.g., 'Microsoft.Network') and higher-level types (e.g., 'Microsoft.Network/dnszones'). However, not all resource types are supported by Resource Graph. For example, DNS Zone record types aren't supported. I would like to get a response for a query like this one:
az graph query -q "where type =~ 'microsoft.network/dnszones/cname'"
6 votes -
Limit Portal View
When applying a Blueprint, have an option to limit what is visible for users to deploy in the Azure Portal
6 votes -
Azure Policy - Compliance Overview & Non-Compliant Resources Details
On the "non-compliance resources" view and also the detailed "resource compliance" blade need to show more details on the policy rule that was not compliance (e.g. what field, expected values, actual values)
For example, if I have a policy that checks for a tag existence, which has a parameter of tagName, then have an initiative which has that policy linked 4 times with different tagName parameters, you can't tell which is which or what the actual values of the resource evaluated were.
6 votes -
Not be able to create exemptions as an evasion for policies assigned to a management group
When assigning a blueprint with resources and policies (e.g. "Allowed Locations for resource groups" to a Management Group, currently the owner of the subscription cannot delete the assigned policies, but he can still make policy exemptions for those assigned policies so this way he can evade the assigned policies.
5 votes -
Ability to query SQL Server Audit Settings
Please add support for type:
Microsoft.Sql/servers/auditingSettings
5 votes -
Blueprints and ARM Complete mode
Today, without the ability to specify complete mode deployments, we struggle undoing items from ARM templates. As blueprints change over time, would make our lives much easier if we didn't need to drop into Azure CLI or REST to undo changes
https://github.com/neilpeterson/azure-blueprints-pipeline-tasks/issues/66
5 votes -
Azure Policy: Custom Rules
AWS Config has the ability to define custom rules, where the rule evaluation is run within a lambda function: https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html
It would be nice if Azure Policy had an equivalent capability--that way, arbitrarily complex evaluations could be defined by using a language such as python instead of being limited to what the policy definition's JSON language supports
5 votes -
Azure Policy Initiatives - allow Policy exclusion changes
An initiative contains multiple policies, and need to be able to exclude application of a child policy while maintaining enforcement of the other policies within. Today, it is 'all or nothing' application of the initiative.
5 votes -
Include expanded instance view information into virtual machines response
It would be very useful to include
properties.instanceViewinto base response for 'Microsoft.Compute/virtualMachines'. It's not efficient enough to get instance statuses for each machine in separate API call. Moreover I didn't find an ability to retrieve this property via GraphAPI at all.5 votes -
Azure policy effect "deny" doesn't work on API call"delete"
Hello,
Currently Azure policy effect "deny" doesn't work on API call "delete". This creates issues when cx's create policies with deny effect. For example, when we try to create a policy which prevent users from disconnecting "VNET INTEGRATION", the operation which takes place is Delete(Microsoft.Web/sites/networkconfig/virtualNetwork).
5 votes -
View changes across all resources
Ability to see which Azure resources changed over a time period
5 votesThis feature request is currently in our backlog. We’ll provide updates here once we triage and start working on it.
-
Allow blueprints to register services within subscriptions
Currently the only way to register all services for a subscription, if the users dont have owner or contributor roles on them, is to run a shell command for every single subscription to register all services. Being able to do this within a blueprint would save a great amount of time when building out tenants.
5 votes -
Evaluate a condition of Azure policy rules from powershell / az cli
When creating policies it would be convenient to test our condition locally by targeting a specific resource group for exemple.
Currently we should create the policy and assign it and wait for the the result.
4 votes -
I'd like to leverage the resource graph explorer tool to be able to analyse cost and expenditures.
I want to be able to create graphs that show details on cost and expenditures.
how much are resources X costing me, if i make these changes how will that price change, so on and so on .4 votes -
Allow for blueprint access on management groups without seeing all other subscriptions beneath it
We want to give access to blueprints on management groups without the user seeing all other subscription below that management group.
4 votes -
Support Optional Blueprint Parameters
Currently, all Blueprint Parameters require a value to be entered. Please support optional parameters for Blueprints. There are numerous use cases for this:
- Deploy a VM standalone or in an Availability Set.
- Add additional tags to resources.
- And so on...
4 votes -
Exclude resource groups and/or resources when deploying a blueprint like you can with policy assignments under policy.
Exclude resource groups and/or resources when deploying a blueprint like you can with policy assignments under policy.
4 votes -
Resource Changes: Track resource move
Create a change log when a resource is moved to a different resource group and maintain its history from before it moved
4 votes -
Ability to query for custom role definitions in Azure Resource Graph
Please add support for listing all custom role definitions
Resource Type: Microsoft.Authorization/roleDefinitions
https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/2017-09-01/roledefinitions
4 votes -
Allow use of resourceGroup() functions within a resource group artifact
When using an ARM template artifact within a resource group artifact, allow us to use the resourceGroup() functions, like respourceGroup().location. Currently, we receive the error: Error: 'The function 'resourceGroup' is not valid.'
4 votesWe are working on a fix to make sure all ARM template functions work if they are deployed by a blueprint
- Don't see your idea?